Internet > Security Issues > Encryption >

Digital Signatures

A message can be 'signed' using a privately held encryption key. Anyone can verify this signature using the corresponding publicly revealed encryption key. Signatures cannot be forged, and a signer cannot later deny the validity of his signature. This has obvious applications in 'electronic mail' and 'electronic funds transfer' systems...

- Rivest, Shamir, Adleman; A method for obtaining digital signatures and public-key cryptosystems; Communications of the ACM; Feb. 1978.

Public Key Cryptography (PKC) enables you to send a digital signature across the Internet to verify a document actually came from you.

A digital signature is like a normal signature, in that it identifies you uniquely and is difficult to fake. A digital signature can be added to an email, document, or other file that you send to someone else using PKC, enabling the addressee to verify that the communication actually came from you. In practice, real implementation of digital signature systems was a prerequisite to widespread adoption of financial and legal communications on the Internet.

The full description of the digital signature process is described below. Remember that everyone using PKC has two keys, one private and one public, either of which can decrypt messages encrypted with the other.

  • Encrypt message. As normal, first the sender encrypts the message with the recipient's public key.
  • Add signature. Then the sender adds their signature to the encrypted message, perhaps some text like "This message is from John Smith", and then encrypts the whole thing with their own private key.
  • Decrypt signature. The recipient receives the message and decrypts it with the sender's public key, which produces the digital signature and the encrypted message.
  • Decrypt message. The recipient then decrypts the remaining message with their own private key.

If this unwrapping procedure works, revealing a legible digital signature and a legible message, then the recipient can be sure that the message was sent by the sender, since only they are in possession of the private key used to encrypt the entire message.

In practice, the PGP system implements digital signatures by encrypting only a compact cryptographic checksum of the sender's message with the private key, thereby providing a smaller and more efficient attachment that still ensures that the signature is for the message it was sent with.

In the late 1990's and early part of the 2000's, more and more countries starting passing legislation recognizing the legal validity of digital signatures in order to provide a foundation for adoption of business on the Internet. A number of companies even established businesses to provide digital signatures to other online business, such as Verisign.